Training

Course Offerings

** This page only includes the courses I personally teach. To see the full list of courses I’ve produced and deliver through Applied Network Defense, go to http://networkdefense.io. There you’ll find courses on Bro Scripting, Suricata, Regular Expressions, and more! **

If you’re a security analyst responsible for investigating alerts, performing forensics, or responding to incidents then this is the course that will help you gain a deep understanding how to most effectively catch bad guys and kick them out of your network.

Capturing packets is easy, but making sense of them isn’t. This course will teach you the fundamentals of packet analysis. You’ll learn all about common protocols, how to troubleshoot network issues, and how to investigate security incidents at the packet level.

It’s time to master your data. This course will teach you how to use Elasticsearch, Logstash, and Kibana (ELK) to build your own IDS console, investigation platform, or security analysis lab.

$647

$97

$797

$497

Next Offering: Jan 8
Registration Deadline: Jan 5

Next Offering: Continuous
Open Now!

Next Offering: Continuous
Open Now!

Next Offering: Jan 15
Registration Deadline: Jan 15

Investigation Theory: The Mind of an Analyst

My name is Chris Sanders, and I’m a security analyst. When I first started out, learning how to investigate threats was challenging because there was no formal training available. Even in modern SOCs today, most training is centered around specific tools and centers too much around on the job training. There has never been a course dedicated exclusively to the fundamental art and science of the investigation process…until now.

If you’re a security analyst responsible for investigating alerts, performing forensics, or responding to incidents then this is the course that will help you gain a deep understanding how to most effectively catch bad guys and kick them out of your network. Investigation Theoryis designed to help you overcome the challenges commonly associated finding and catching bad guys.

I’ve got so many alerts to investigate and I’m not sure how to get through them quickly.

I keep getting overwhelmed by the amount of information I have to work with an investigation.

Some people just seem to “get” security, but it just doesn’t seem to click for me.

Course Format

Investigation Theory is not like any online security training you’ve taken. It is modeled like a college course and consists of two parts: lecture and lab. The course is delivered on-demand so you can proceed through it at your convenience. However, it’s recommended that you take a standard 10-week completion path, or an accelerated 5-week path. Either way, there are ten modules in total, and each module typically consists of the following components:

1 Core Lecture: Theory and strategy is discussed in a series of video lectures. Each lecture builds on the previous one.

1 Bonus Lecture: Standalone content to address specific topics is provided in every other module.

1 Reading Recommendation: While not meant to be read on pace with the course, I’ve provided a curated reading list along with critical questions to consider to help develop your analyst mindset.

1 Quiz: The quiz isn’t meant to test your knowledge, but rather, to give you an opportunity to apply it to reinforce learning through critical thinking and knowledge retrieval.

1 Lab Exercise: The Investigation Ninja system is used to provide labs that simulate real investigations for you to practice your skills.

Investigation Ninja Lab Environment

This course utilizes the Investigation Ninja web application to simulate real investigation scenarios. By taking a vendor agnostic approach, Investigation Ninja provides real world inputs and allows you to query various data sources to uncover evil and decide if an incident has occurred, and what happened. You’ll look through real data and solve unique challenges that will test your newly learned investigation skills. A custom set of labs have been developed specifically for this course. No matter what toolset you work with in your SOC, Investigation Ninja will prepare you to excel in investigations using a data-driven approach.

This slideshow requires JavaScript.

Get stuck in a lab? I’m just an e-mail away and can help point you in the right direction. Enjoy the labs and want to go farther? You can purchase additional access to more labs, including our upcoming “Story Mode” where you create a character and progress through eight levels of investigation scenarios while trying to attain the rank of Investigation Ninja!

Instructor Q&A

This isn’t a typical online course where we just give you a bunch of videos and you’re own your own. The results of your progress, quizzes, and labs are reviewed by me and I provide real time feedback as you progress. I’m available as a resource to answer questions throughout the course.

Syllabus

Metacognition: How to Approach an Investigation

Evidence: Planning Visibility with a Compromise in Mind

Investigation Playbooks: How to Analyze IPs, Domains, and Files

Open Source Intel: Understanding the Unknown

Mise en Place: Mastering Your Environment with Any Toolset

The Timeline: Tracking the Investigation Process

The Curious Hunter: Finding Investigation Leads without Alerts

Your Own Worst Enemy: Recognizing and Limiting Bias

Reporting: Effective Communication of Breaches and False Alarms

Case Studies in Thinking Like an Analyst

Plus, several bonus lectures!

Cost

Introductory pricing for the course and lab access are $597 for a single user license. Discounts are available for multiple user licenses where at least 10 seats are purchased (please contact me to discuss payment). A portion of the purchase price will go to support multiple charities including the Rural Technology Fund, the Against Malaria Foundation, and others.

You’ll receive:

6-mo Access to Course Videos and Content

6-mo Access to Investigation Ninja

Access to our AND student Slack channel

Access to Chris Sanders online “office hours” held every 7-14 days with 1:1 text/audio/video chat

A Certification of Course Completion

Continuing Education Credits (CPEs/CEUs)

Sign Up Now!

Effective Information Security Writing

I used to hate writing. I got into security because I wanted to catch bad guys and break into things – not because I liked writing reports. I eventually learned that writing is an important part of every security job, and I embraced it. Fifteen years later, I’ve written five books and more security reports than I can count. During this time, I learned that effective writing in security is rare, but when done correctly, it’s one of the best tools in your arsenal.

Effective writing can be a tool that helps you advance your career, set yourself apart from your peers, get more business, and justify resources you need to make your network secure. What I’ve learned, however, is that good writing isn’t about grammar or the things you learned in fourth grade English. Good writing is about understanding your audience, being persuasive, and using a repeatable system that helps you achieve your goals. Effective Information Security Writing is the only online course dedicated to helping you become better at achieving your goals by using writing as a tool in your arsenal.

Whether you struggle with writing and you’re looking for a way to get better at it, or if you’re just looking to take your writing to the next level, you’ll find it in this course. You’ll learn:

My repeatable system for faster, more effective information security writing.

Techniques to bridge the gap between technical and non-technical audiences.

How to tell a story and make your reader empathize with your needs.

The critical components of a penetration testing report and how to write one so that network owners will finally take your findings and recommendations to heart.

How to write compromise reports that aren’t boring, and help stakeholders understand the scope of an attack that has occurred.

How to write more effective short-form communication, including e-mails, case notes, and chat messages.

I’ll also provide templates I use for writing penetration testing reports, case notes, and compromise reports. You’re free to use these as they are, or combine them with your current template. These are templates with a purposeful structure I’ve refined over many years.

Course Format

The Effective Information Security Writing course is delivered using video lectures that are online and on-demand so you can proceed through it at your convenience. Once registered, you’ll be given immediate access and will have that access for three months. The course also includes a discussion forum where you can ask questions and share tips and tricks with other students. The estimated time to complete the course is ~5 hours.

Prerequisites

This course has no prerequisites. It is delivered in English.

Syllabus

* Subject to change as things are added

Module 1: Telling a Story

My system for effective writing

Elements of a story

Theme and plot in security

The process of writing

Module 2: Writing Penetration Testing Reports

Preparing for writing while performing the assessment

Assessment report structure

Describing findings and recommendations

Going to extra mile to deliver value with pen test reports

Module 3: Forensic Writing

A formula for writing case notes

Compromise assessment structure

Malware analysis report structure

Module 4: Most Common Writing Mistakes

Aimless writing and how to recognize it

Zombie words

Common language mistakes

Active vs. Passive voice

Highlighting technical deficiencies without talking down to people

Recognizing and eliminating unnecessary words

Supporting conclusions with evidence

Cost

Introductory pricing for the course and lab access are $97 for a single user license. Site licenses are available for organizations that want to train their entire staff (please contact me to discuss payment). A portion of the purchase price will go to support multiple charities including the Rural Technology Fund, the Against Malaria Foundation, and others.

You’ll receive:

3 month access to course video lectures

Multiple report templates you can start using immediately, without restriction

Access to our AND student Slack channel

Access to Chris Sanders online “office hours” held every 7-14 days with 1:1 text/audio/video chat

A Certification of Course Completion

Continuing Education Credits (CPEs/CEUs)

Sign Up Now!

This course is open continuously. Register any time.

Practical Packet Analysis

It’s easy to fire up Wireshark and capture some packets…but making sense of them is another story. There’s nothing more frustrating than knowing the answers you need lie in a mountain of data that you don’t know how to sift through. That’s why I wrote the first Practical Packet Analysis book a decade ago. That book is now in its third edition, has been translated to several languages, and has sold over 25,000 copies. Now, I’m excited to create an online course based on the book. The Practical Packet Analysis online course is the best way to get hands on visual experience capturing, dissecting, and making sense of packets.

Practical Packet Analysis takes a fundamental approach by exploring the concepts you need to know without all the fluff that is normally associated with learning about network protocols. Everything you’ll learn is something you can directly apply to the job you have, or the job you want. The ability to understand packets is a critical skill for network engineers, system administrators, security analysts, forensic investigators, and programmers alike. This class will help you build those skills through a series of expert-led lectures, scenario-based demonstrations, and hands-on lab exercises.

The Practical Packet Analysis course is perfect for beginners to intermediate analysts, but seasoned pros will probably learn a few useful techniques too. Whether you’ve never capture packets before or you have and you struggle to manipulate them to effectively achieve your goals, this course will help you get over the hump. You’ll learn:

How networking works at the packet level.

How to interpret packet data at a fundamental level in hexadecimal or binary.

Techniques for capturing packets to make sure you’re collecting the right data.

How to interpret common network and transport layer protocols like IPv4, IPv6, ICMP, TCP, and UDP.

How to interpret common application layer protocols like HTTP, DNS, SMTP, and more.

Normal and abnormal stimulus and response patterns for common protocols.

Troubleshooting connectivity issues at the packet level.

Techniques for carving files from packet streams.

Understanding network latency and how to locate the source.

How common network attacks are seen by an intrusion detection systems.

Techniques for investigating security alerts using packet data.

How malware communicates on the network.

Course Format

The Practical Packet Analysis course is delivered completely online using recorded video lectures that you can go through at your convenience. It is modeled like a college course and consists of lectures that overview critical concepts, demonstrations where I walk through packet captures, and lab exercises when you are given packet captures to work through on your own to practice the concepts you’ve learned. There is also a a discussion forum where you can ask questions and share tips and tricks with other students. The course includes over 40 hours of video lecture content, and can be completed at whatever pace is comfortable for you.

Prerequisites

This course has no prerequisites, but a basic understanding of networking is helpful. It is delivered in English.

Syllabus

Cost

Introductory pricing for the course is $797 for a single user license. Bulk discounts are available for organizations that want to purchase multiple licenses (please contact me to discuss payment and pricing). A portion of the purchase price will go to support multiple charities including the Rural Technology Fund, the Against Malaria Foundation, and others.

You’ll receive:

6 month access to course video lectures and lab exercises

Access to our AND student Slack channel

Access to Chris Sanders online “office hours” held every 7-14 days with 1:1 text/audio/video chat

A Certification of Course Completion

Continuing Education Credits (CPEs/CEUs)

FAQ

Q: Who is this course designed for?

A: Anyone who wants to learn how to interpret packet data. You’ll gain a lot from this course whether you are a network administrator, systems administrator, network security practitioner, or programmer. Beyond general packet analysis information, there are dedicated sections relevant to all of these specialities.

Q: How much overlap is there between the Practical Packet Analysis book and course?

A: The course covers many of the same things in the book, but goes into much more depth on specific topics. The course also allows for video demos, and includes several additional lab exercises you can work through on your own before watching me work through them in a video. The book can be thought of as an optional textbook for the course, but if you already have the book you’ll gain a lot more from the course.

Q: If the course is online and the videos are recorded, why is the course only run periodically?

A: This course is run periodically so that learners within it can follow a similar path. This allows you to utilize the community discussion board to it’s most effectiveness. I’m also actively involved in this discussion and limiting the number of participants ensures I can give individualized attention to every student.

Q: How much packet analysis experience should I have before starting?

A: No previous experience is required. We start with the very basic fundamentals. If you have some experience, you can skip these early sections and dive straight into analysis.

Q: Are there any hands on labs?

A: Yes! Lot’s of them. You’ll have plenty of opportunity to practice the techniques we discuss.

Q: What tools do you use?

A: This course is primarily centered on Wireshark, but we also use tshark, tcpdump, and a few other tools.

Sign Up Now!

This course is open continuously. Register any time.

ELK for Security Analysis

You must master your data If you want to catch bad guys and find evil. But, how can you do that? That’s where the ELK stack comes in.

ELK is Elasticsearch, Logstash, and Kibana and together they provide a framework for collecting, storing, and investigating network security data. In this course, you’ll learn how to use this powerful trio to perform security analysis. This isn’t just an ELK course, it’s a course on how to use ELK specifically for incident responders, network security monitoring analysts, and other security blue teamers.

You’ll learn the basics of:

Elasticsearch: How data is stored and indexed. Working with JSON documents.

Logstash: How to collect and manipulate structured and unstructured data.

Kibana: Techniques for searching data and building useful visualizations and dashboards.

Beats: Use the agent to ship data from endpoints and servers to your ELK systems.

I’ll also show you how to build complete data pipelines from ingest to search. This means you’ll get to watch step-by-step guides for dealing with security specific data types like:

HTTP Proxy Logs

File-Based Logs (Unix, auth, and application logs)

Windows Events & Sysmon Data

NetFlow Data

IDS Alerts

Dealing with any CSV file you’re handed

Parsing unstructured logs, no matter how weird they are

When you walk away from this course, you should be equipped with the skills you need to build a complete IDS alert console, investigation platform, or security analysis lab.

Course Format

The ELK for Security Analysis course is delivered completely online using recorded video lectures that you can go through at your convenience. It is modeled like a college course and consists of lectures that overview critical concepts, demonstrations where I walk through ELK configuration, and lab exercises when you practice the concepts you’ve learned. There is also a discussion forum where you can ask questions and share tips and tricks with other students. The course can be completed at whatever pace is comfortable for you.

Prerequisites

This course doesn’t require any prior ELK knowledge.
The demonstrations are done on Linux, so a basic understanding of the Linux command line is helpful.
The course is delivered in English.

Syllabus

Cost

Introductory pricing for the course is $497 for a single user license. Bulk discounts are available for organizations that want to purchase multiple licenses (please contact me to discuss payment and pricing). A portion of the purchase price will go to support multiple charities including the Rural Technology Fund, the Against Malaria Foundation, and others.

You’ll receive:

6 month access to course video lectures and lab exercises

Access to our AND student Slack channel

Access to Chris Sanders online “office hours” held every 7-14 days with 1:1 text/audio/video chat

A Certification of Course Completion

Continuing Education Credits (CPEs/CEUs)

FAQ

Q: Who is this course designed for?
A: Anyone who wants to learn how to use ELK to collect, store, and investigate data. This course is specifically targeted at blue teamers like DFIR investigators or NSM analysts. However, you’ll also gain a lot from this course as a red teamer or sysadmin too!

Q: How much ELK experience should I have before starting?
A: No previous experience is required. We start with the fundamentals. If you have some prior knowledge and want to get straight into the sections on building security-related data pipelines, you can do that!

Q: Are there any hands on labs?
A: Yes! Lots of them. You’ll have plenty of opportunities to practice the techniques we discuss. The class is loaded with demonstrations you can follow along with, too!